No 'Right' to Crypto Export?

Share

No 'Right' to Crypto Export?

The Pentagon's top civil servant said that no company has a "God-given right" to export powerful American data scrambling technology that would allow foreign nationals to communicate in total secrecy, according to information made public this week.

US Deputy Secretary of Defense John Hamre also told Fortune 500 company officials in a speech last week that the government was in talks with Netscape Communications and other software firms about facilitating law enforcement access, under court order, to scrambled information sent over the Net.

The text of Hamre's speech to chief information officers in Aspen, Colorado, was made available online Tuesday.

Hamre addressed the issue of crypto export controls, long a thorn in the side of Silicon Valley computer security companies. Industry leaders see the controls, which strictly limit the export of strong data-scrambling software and hardware, as generating an unfair advantage for overseas competitors.

But the Department of Defense and intelligence agencies like the FBI and the National Security Agency believe strong crypto poses a threat to national security because it would allegedly allow terrorists to communicate in secret.

Software industry leaders counter that such terrorists already have access to strong encryption that has been developed overseas – ironically, a likely result of the US policy.

"I'd also ask American business not to make a campaign out of just trying to bust through export controls as though somehow there was a God-given, inherent right to send the strongest encryption to anybody in the world, no matter who they are," Hamre said.

"I don't agree with that. I will never agree with that."

The US government currently forbids the export of products with encryption stronger than 56 bits unless they have "key recovery," a means by which law enforcement, armed with a court order, could recover the scrambled information. Civil liberties organizations, such as the Electronic Frontier Foundation, have battled that plan for years.

"I would ask you to step past this debate that we're having on cyber liberties vs. law enforcement," Hamre said. "We're going to have to get to a more sophisticated understanding of this problem, and we don't have a lot of time.

"I do not believe that it's more important to protect ourselves against terrorists if it means it comes at the expense of civil liberties in the United States," Hamre said.

Hamre admitted that strong encryption was dangerous but also essential to protecting the country's communications and enabling commerce and secure transmissions on the Internet.

"We have to protect ourselves in this environment and it's got to be with encryption and some form of security management, key recovery in our case," Hamre said. "But we're going to make it voluntary.... It's something we all have to do, frankly, for the country."

In helping to build the information security architecture, Hamre said the government has entered into contracts with a number of technology firms, including Netscape.

"We've entered into contracts with a number of large houses to help us bring that [voluntary key recovery] architecture. We'll get the first one running this fall with Netscape, and hopefully, it'll be operational in October," he said.

Netscape was unavailable for comment.

Hamre went on to say that 56-bit encryption was good enough for most applications.

"I mean, there isn't anybody in the world that could routinely bust that level of encryption in the same time sequence it takes to issue it," he said. "[W]e're not prohibiting anybody from using enormously strong encryption today."

Earlier this month, the Electronic Frontier Foundation announced it had built a system for less than US$250,000 that could crack a 56-bit encoded message in fewer than three days.

Despite his reservations about strong crypto, which could protect critical systems, Hamre said that the nation is currently "wide open to attack electronically."

He revealed further details of Operation "Eligible Receiver," a Defense Department information warfare exercise conducted last year. The Pentagon hired a team of 30 to 35 crackers to see how far they could penetrate government and critical infrastructure systems.

The hackers worked for three months, using only off-the-shelf hardware and software and programs downloaded from what Hamre characterized as "hacker Web sites."

"We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it," he said.

Hamre admitted that the Defense Department is "surprisingly vulnerable" as well, since most government communication is now conducted over commercial channels.

Editor's Note: The headline and first paragraph of this story have been corrected to better reflect the context of John Hamre's remarks regarding the export of powerful US encryption technology. In the original story, Hamre's comments regarding "no God-given right" were misrepresented as suggesting that no two people in the world had the right to communicate in total secrecy. Wired News regrets the error.